[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

CVE-2017-5617: svgSalamander

hello d-gis/Bas,

there is a security vulnerability in svgSalamander:

The problem occurs when including raster/svg images via <image>.
The reporter says "How to fix - any schemes apart from data in the
xlink:href attribute should be disallowed"

--> I am not aware of svgSalamander properties (the only other toggle I
can think of is java system properties), so can we _disable_ other
schemes? I don't think that breaks SVG renderding in Freeplane, how
about josm / other applications?

--> data: schema seems provides a way for including base64 encoded
raster/svg images inline in an SVG.

--> Can we discuss how to fix this?

Or shall we wait until Mark (the upstream author) fixes this
(might take a month)? Or at least ping him for a solution?

Cheers and Best Regards,
Felix Natter

Reply to: